The European Union is considering introducing new regulations to restrict the use of U.S. cloud service providers by member governments when processing sensitive data, in order to reduce reliance on non-EU digital infrastructure and promote the development of local "sovereign clouds." Multiple informed European Commission officials revealed to the media that this idea is expected to be included in the EU's "Tech Sovereignty Package" to be announced on May 27.
According to reports, the European Commission is discussing within the upcoming plan to set a "sovereignty" threshold for the public sector's choice of cloud services, focusing on reducing the exposure of sensitive public sector data to non-EU cloud platforms. An unnamed official said, “The core idea is to define a number of key areas that must be hosted on European cloud capabilities.” Cloud service providers from third countries such as the United States may be affected.
According to the current direction of the discussion, the relevant proposals will not completely ban overseas cloud service providers from participating in government contracts, but will set restrictions on their use in the processing of sensitive data in the public sector based on the data sensitivity level. One official pointed out that this means that "US cloud service providers may face usage restrictions in some sensitive and strategic areas of public institutions in member countries." At present, finance, justice, and medical health are regarded as sensitive data types that are under discussion. In the future, they may be required to rely more on cloud infrastructure with sovereign attributes.
It is worth noting that this round of discussions on the sovereignty of cloud services only focuses on government and public sector data, and does not involve private companies for the time being. In other words, the "Technological Sovereignty Plan" will not directly impose mandatory requirements on private companies when choosing cloud platforms.
Behind the above-mentioned trends is the tightening of relations between the EU and the new U.S. government headed by President Trump in recent months, and concerns about "digital dependence" within Europe have rapidly increased. Currently, American companies still dominate the European cloud computing market: Amazon, Microsoft, and Google collectively control more than 70% of the market share, with Amazon accounting for approximately 29%, Microsoft approximately 24%, and Google approximately 18%. Under the framework of the Cloud Act promulgated in 2018, U.S. law enforcement agencies have the right to retrieve data from U.S. companies, regardless of where the data is physically stored. This has further aroused European countries' concerns about the security of critical data.
In this context, European governments are accelerating the search for local and open source alternatives and increasing budgets related to digital sovereignty. In February this year, government officials from many countries stated that they were already evaluating self-developed or European solutions to replace large-scale U.S. technology platforms. The French government announced in January this year that it will launch the video conferencing tool "Visio" developed under the leadership of the government, and plans to gradually replace American tools such as Microsoft Teams and Zoom in government systems by 2027.
The EU level is also promoting the construction of sovereign cloud through actual projects. In April this year, the European Commission awarded tender contracts totaling 180 million euros to four European sovereign cloud projects to provide cloud service solutions to EU agencies and institutions. One of the projects involves a joint venture between French aerospace and defense company Thales and Google Cloud, which reflects the EU's emphasis on sovereignty while balancing security and innovation needs through joint ventures and technical cooperation.
The "Technology Sovereignty Plan" is expected to cover not only cloud computing, but also the Cloud and AI Development Act (CADA) and the "Chip Act 2.0", aiming to encourage the cultivation of more local solutions and products in key areas such as cloud computing, artificial intelligence, and semiconductors. Once the plan is formally proposed by the European Commission, it still needs to be approved by all 27 member states before it can take effect.
Regarding external concerns about whether the plan will trigger transatlantic technology and trade frictions, a spokesman for the European Commission did not directly respond to the details, but emphasized that the plan "is related to Europe's self-awareness and ability to act in the digital age." The spokesman said that the goal of the plan is to expand "sovereign cloud" opportunities through public procurement and other tools and support more cloud and artificial intelligence service providers with diverse backgrounds to enter the market.
From the perspective of public opinion within Europe, this round of discussions on the path to cloud access for sensitive government data is not only a single market competition issue, but is also seen as a comprehensive game surrounding geopolitical competition, data sovereignty and security risks. How to strike a balance between ensuring the security of critical data, maintaining open markets and promoting technological innovation will become a long-term test for the EU after the introduction of the "Technological Sovereignty Plan".